Latest Leak: NSA Collects Bulk Email Metadata On Americans

from the so-there's-that... dept

The NSA leaks just keep on coming, and the latest one is a big one. It's concerning the NSA is about the Stellar Wind program -- which had been revealed before, and which former NSA whistleblower Bill Binney has discussed in the past -- but Binney left the NSA in 2001. The latest document is a report from the Inspector General that confirms some of the claims Binney has made in the past, showing that the NSA collected "bulk metadata" on emails of US persons. The program started as only being about non-US persons, but was later expanded by the DOJ in 2007 to cover US persons as well.

According to a top-secret draft report by the NSA's inspector general – published for the first time today by the Guardian – the agency began "collection of bulk internet metadata" involving "communications with at least one communicant outside the United States or for which no communicant was known to be a citizen of the United States".

Eventually, the NSA gained authority to "analyze communications metadata associated with United States persons and persons believed to be in the United States", according to a 2007 Justice Department memo, which is marked secret.

So, remember all that stuff the NSA and the President and various elected officials were saying about how they're not collecting internet data on Americans? And how they have minimization procedures and all of that? Yeah. So, that was -- yet again -- less than 100% accurate. Or, as Director of National Intelligence James Clapper likes to say, it was, perhaps, the "least untruthful" version of the events, meaning that it wasn't truthful.

Of course, the defenders of the program will say that this is okay because it was "just metadata," rather than the contents of email, but that's a huge cop out, since metadata can tell you an awful lot:

The internet metadata of the sort NSA collected for at least a decade details the accounts to which Americans sent emails and from which they received emails. It also details the internet protocol addresses (IP) used by people inside the United States when sending emails – information which can reflect their physical location. It did not include the content of emails.

On top of that, defenders of the metadata collection of phone records claimed that there was no privacy in the phone numbers you called and the duration of calls, because that information was clearly on your phone bill that the company sent to you each month. But that's not the case with email metadata.

For what it's worth, the administration shutdown this particular program in 2011, but that was after it had gone on for 10 years, with the last four involving collecting bulk metadata on Americans.

"The internet metadata collection program authorized by the Fisa court was discontinued in 2011 for operational and resource reasons and has not been restarted," Shawn Turner, the Obama administration's director of communications for National Intelligence, said in a statement to the Guardian.

"The program was discontinued by the executive branch as the result of an interagency review," Turner continued. He would not elaborate further.

However, as Glenn Greenwald and Spencer Ackerman at the Guardian (who broke this story as well) have noted, they have evidence that at least a similar program continues today:

In December 2012, for example, the NSA launched one new program allowing it to analyze communications with one end inside the US, leading to a doubling of the amount of data passing through its filters.

Some of the report actually helps to confirm a Washington Post story from last week about how this bulk metadata collection was initially done under no authority, but when various DOJ officials threatened to resign, they quickly got the FISA court to pull out its trusty giant rubber stamp to allow bulk data collection on emails.

The expansion of metadata collection and analysis to cover Americans came about as the NSA insisted this would help them better find foreign threats:

"NSA believes that it is over-identifying numbers and addresses that belong to United States persons and that modifying its practice to chain through all telephone numbers and addresses, including those reasonably believed to be used by a United States person," Wainstein wrote, "will yield valuable foreign intelligence information primarily concerning non-United States persons outside the United States."

Basically this pretty much confirms my earlier post about how the NSA (and the DOJ) are carefully defining "target" in their mandate. Most people believe that since the NSA can only target persons outside the US that they cannot collect data on US persons. However, if (as may be the case) they claim that the overall investigation is "targeting" non-US persons, it appears they believe they can collect and analyze data on US persons, meaning that they've effectively justified bulk spying on Americans if it might possibly bring to light a foreign threat.

One thing that is not clearly described is exactly how the NSA is getting access to this data, but from previous leaks, it appears that the data almost certainly comes from working with telcos to install systems that scoop up all data going through major ISPs/backbones. Either way, it seems abundantly clear, yet again, that the NSA surveillance, contrary to statements from the NSA and its defenders, included a ton of information on Americans.

Reader Comments

Re:

he communications of the jungle tribes in place like New Guinea and he amazon forest. Though they may have some communications of the latter who have decided that they need access to the Internet so they can get involved in politics to protect their jungle and life style.

Re:

Is there any longer any creditability to the executive branch, the legislature branch, or FISA?

I notice that all has been quiet on the denial front for the last few days as they try various methods of damage control through character assassination.

What I am not hearing is anything involving any sort of public apology, any sort of rectifying of the laws with serious intent to fix this mess, nor any sort of address to the public over the massacring of The Declaration of Independence or the Constitution in the process and what will be done to fix it. Not change the process, not moving things so they are again hidden, but address this run-a-way Stazi police state mentality. All seems quiet on that front, indicating that damage control is still deemed the way forward.

This government in my opinion is rapidly loosing it's consent to govern.

Re:

I think the damage has already became critical and impossible to control. I think that much like politicians are struggling to understand wtf is happening here in Brazil the US Govt is still assessing the extension of the damage, unable to take proper action.

The image of the US is greatly damaged and the leaks originated much more cracks where bad smell is coming out as some sort of fetid pestilence.

The question is: how much more will the Americans need to burst out in protests? When are they going to move their asses?

"Latest leak ... which had been revealed before"...

We already KNOW the problem. Some may not yet be ready to admit the full extent of the spying, of which Google is a giant part, but everyone KNOWS the basics and that it's WRONG. At least try to take another slant on it, college boy, such as asking what the next step is. -- I'll help you out: So far, this limited hangout has only served the NSA. Now they're ready to move to a higher level of tyranny.

Re: "Latest leak ... which had been revealed before"...

It's not that we didn't know that they were doing it before. It's that we didn't have evidence to prove it so they were able to just deny it. So what is happening now is they are methodically releasing the documentation a little at a time that proves all of the denials were lies and all of the previously stated concerns were valid. They are slowly building a rock solid case against them all for the entire public to consider. A case from whence they have no possibility of weaseling out of. That is what is happening.

Gosh a vast overreach of government powers being expanded to encompass the citizenry as well?

Who would have seen this coming?!?

Except me, I remember being called a tinfoiler using the slippery slope fallacy way back when I was arguing that the only difference between using this on "terrorists" and US citizens is a single press of a button.

Changing its name != shutting it down

For what it's worth, the administration shutdown this particular program in 2011...However, as Glenn Greenwald and Spencer Ackerman at the Guardian (who broke this story as well) have noted, they have evidence that at least a similar program continues today

This reminds me of the whole TIA fiasco. When TIA got explicitly unfunded, they just changed it's name and carried on.

Public shaming is not enough

No matter how many lies are exposed, and no matter how many people or media agencies speak out about this, nothing will change.

The only things that matter are if a court says stop it, or if congress passes a law to stop it (and they'll probably need 2/3 to overcome a veto).

And even, then it only matters if there is an independent group that has full access to monitor compliance. All the FISA courts, and intelligence committees in the world are no good if all they have to go on is the least untruthful answers fed to them.

I can't help but wonder,

Spam

This leaves one to wonder how they (NSA) handles spam. There is at least the possibility that any spam might originate overseas (Nigeria maybe?). There are sufficient fools in the world that actually click on the spam that creates some sort of reverse connection. This would satisfy their 'communication' overseas (ahem) 'requirement', but without the content, how do they know it's spam?

Wouldn't it be satisfying if the next 'release' of NSA data confirms that the NSA's servers are 3/4's full of spam. Yeah, we got you terrorists.

Re: Re: but isn't the metadeta and content on the same file?

So... if lots and lots of us used cute little keyword-generator scripts and appended inflammatory scan-bait to the ends of all our e-mails... would it annoy our captors? I mean, uh... those who insure our security? Would it make their scanning computers emit smoke and then explode, like in the movies?

As long as they're doing all that collecting,

maybe they could enforce the lost and forgotten Don't Call List? The government's total failure to get such a simple thing working makes me wonder if their more massive date snooping produces anything they even look at.

Define "rubber stamp"

Please compare the approval rate of "standard warrants" to "FISA warrants". I think the approval rate of standard warrants is pretty high, too. If they are comparable, I think calling FISC a rubber stamp would be a hard sell without calling every Federal court that approves wiretaps a rubber stamp.

Re: Define "rubber stamp"

The rates are comparable. I found the wiretap report issued to Congress for 2007, and it showed:

In 2007, according to the report, 2,208 applications for wiretap orders were submitted to state and federal courts. 457 were in federal cases, the rest state. The courts granted every application, and of the 2,208 authorized wiretaps, 2,119 of them were installed.

Note that most wiretaps are not reported ("roving" and FISA wiretaps are specifically excluded).

I think calling FISC a rubber stamp would be a hard sell without calling every Federal court that approves wiretaps a rubber stamp.

Yes. The courts have long been accused of rubberstamping wiretap requests, even before FISA existed, so this wouldn't be a new accusation at all.

Personally, although the approval rate can be an indicator, it isn't proof of rubberstamping. The only way to be able to determine whether or not the whole thing is a joke is to actually review the court's actions, which is impossible (at least for the FISC).

I lean toward thinking such requests are rubberstamped on the theory that there's little reason to think that the FISC would behave substantially different than the other courts have in the past.

"So, remember all that stuff the NSA and the President and various elected officials were saying about how they're not collecting internet data on Americans? And how they have minimization procedures and all of that? Yeah. So, that was -- yet again -- less than 100% accurate. Or, as Director of National Intelligence James Clapper likes to say, it was, perhaps, the 'least untruthful' version of the events, meaning that it wasn't truthful."

Meaning that they were caught lying for the umpteenth time.

As for the NSA collecting metadata, uh, sure thing. So they created a massive facility in Utah just to store IP addresses and NOT the contents of people's e-mails and other communications? I've got a bridge to sell you...

As a person who deals with metadata and data models every day, I wish the government and the press would get the language right here. It isn't metadata, it's data.

Emails have a header that includes the email addresses of the sender, receiver, reply-to and possibly other parties. It includes timestamps, subject lines, and other information. There are all part of the data content of an email message just as much as the actual words the sender typed in the body of the message.

Metadata would be data about the data--data element names, descriptions of what each data element means, data types and sizes, that kind of thing.

Put another way, would you say that the date and to/from addresses at the top of a business letter were not part of the letter? No.

Expectation of privacy

"...because that information was clearly on your phone bill that the company sent to you each month..."
I wasn't aware that my phone bill was sent to anyone OTHER than me. Since, I believe, it's illegal for the postal service to knowingly deliver MY mail to anyone else and also for anyone to delibrately intercept my mail (except with a warrent, or course), why would I NOT have an expectation of privacy?

please

Hello dear,My name is Mrs Olayemi Mary Julianah, A United Kingdom citizen and I reside for almost 22 years now in Benin Republic for purely Gold Business. My company name is: (Berossy Gold Sarl).Dearest, I am sharing this message to explain what I currently lives as tragedy and also the decision that I took presently.I have been a few months victim of an incurable disease that eats away at my health.I am suffering because of a throat cancer. Everything inside of my throat has become a big wound that continues to rot and deteriorate more. The disease prevents me now to talk and even eat properly.today, I have no one because I am an orphan since I was born and grew up in an orphanage. Also, I lost my husband seven years ago, unfortunately, we could not have children because he was diagnose of low sperm count and we where on the treatment before he died. To top it all, all our friends and contacts have forsaken me since the death of my late husband, it was just''profiteers''.Today,I am left to myself and am master of all I want to take but unfortunately my health prevents me from taking care of something arbitrary.After several results and analysis in various European and American clinics and presently at London where i am now, The doctors, told me that my days are now numbered, that i am living the last moments of my life.I am therefore sentenced to 65years dying from this terrible disease because my doctor has just informed me there were only one month to live on this earth and that men can not do anything for me.That is why I contacted you to ask you a great service as it would not be possible for me to do it myself because of my health.I deposited in September 2006 in financial institute, a large sum of money Four million euros ( 4,000,000€ ).I will want to hand over this money to you as to enable you establish a charitable foundation in my memory so that God's grace be with me until my last home and I can enjoy an honorable place with the Lord our father.If you will be willing to assist me on this project, kindly reply (olayemimary101@yahoo.com) me and i will send you details with financial institute where I deposited the fund and I will also sworn an affidavit for change of ownership status that will officially and legally makes you the beneficiary to my funds, so that even if i die you will not have any confrontation from any body in receiving the funds. Please do reply me on my private email above because I don't always be on here.